However, like some previous people here, I'm having problems sending mail. I did the:

KMail -> SASL -> Postfix -> SASL -> ISP

Route, to send things. However, I think the problem is in the first three, because messages never get sent as far as KMail is concerned.

I also tried using Thunderbird, and it complains about a bad or corrupted certificate (Error -8182, I believe). KMail complained about bad certificates on both the SMTP and IMAP servers, but it said that was just because they were signed by themselves, or some such, so I didn't think much of it.

Do I need to do something to generate keys or certificates for SMTP authentication, or is something else wrong. The relevant (I think) of my postfix main.cf follow (I think I got them right, but many eyes are better than 2):

Regarding the Thunderbird error... Not quite sure about it, but every email client should complain about your certs because they are NOT generated by a trusted certficiate agent. That said, it should just be for your home network so nothing to worry about. In Kmail you can choose to accept the SSL cert forever.

Hope this helps._________________I have nothing witty to say here... ever

Along with lots of other SSL stuff. I'll look back at past posts to see if anything like this was remedied earlier, but if anything jumps out at you, I'd be much obliged.

Thanks for all your help.

Edit:

Seems like I have the same problem as Bob, based on the errors in the log. I tried commenting out the mail relay stuff in main.cf, but that didn't seem to solve anything. Anyhow, I guess this is a problem for another day. Maybe tomorrow I'll remerge OpenSSL and Postfix and see if that fixes anything._________________They don't have a good bathroom to do coke in.

For clients, both KMail and Thunderbird don't work. I haven't tried others. KMail doesn't generate any errors other than something like "failed to send some messages" in the status bar. Thunderbird gives 'Could not establish an connection because certificate presented is invalid or corrupted. Error Code: -8182' when trying to send.

In the KMail settings, Encryption is TLS, authentication is PLAIN, just like in the tutorial. That's what comes up by default when I click "Check What the Server Supports." Thunderbird doesn't have a similar button, so I just chose similar settings to KMail.

Here's a complete tail while attempting to send mail from Thunderbird. KMail doesn't generate anything in the logs when attempting and failing to send.

Kmail should generate a bit more verbose error on the client side... but if it doesn't, something should be recorded since it successfully started a TLS session.... /var/log/mail.err ? /var/log/mail.warn ?_________________I have nothing witty to say here... ever

So I assume the permissions on /etc/sasl2/sasldb2 are set wrong. Currently they're:

Quote:

-rw-r----- 1 root mail 49152 Feb 5 19:25 sasldb2

Is this incorrect?

I don't know why KMail is connecting to postfix now and it didn't seem to be before, though. I guess I'll just chalk it up to random computer weirdness (like yesterday, when I was fooling around with apache2, and kept getting internal server errors on one file until I copied its contents, deleted the file, re-created the file and pasted the contents back in. ). Sorry to trouble you so much._________________They don't have a good bathroom to do coke in.

v2.0 of this guide stopped using sasldb since this error became all too common. If you wish to continue using sasldb though, make sure you `chown postfix /etc/sasl2/sasldb2' ... since Postfix can't read the db as it stands now....

It's no trouble at all... Believe it or not, I've learned far more maintaining this guide than originally setting it up _________________I have nothing witty to say here... ever

Thanks for pointing out that I shouldn't have gotten rid of the whole localhost line in /etc/hosts (if you do then you have to reconfigure the IMAP server; i found that out the hard way ).

Anyway, once i was able to send mail without a problem using postfix, I went on to try to figure out how to recieve mail directly using my new setup. It took a while (at first I thoght that my ISP might be blocking port 25, but that turned out to be wrong ...), but I finally found that I had to comment out a line in my main.cf, so that the relevent lines now look like:

I looked around in the docs for postfix some, but I'm still a little unclear ... is commenting out the smtp_client_restrictions line a security risk? If so does anyone have any suggestions for a good rule?

Then edit your /etc/postfix/main.cf file to include support for amavis:

Code:

content_filter = smtp-amavis:[127.0.0.1]:10024

2.2) Optional Configurations

Now for some optional configurations. The configuration file for amavisd-new is ~1500 lines long, so there are many options that can be controlled. These are the ones that I found most useful for my small home setup (although amavisd should work just fine without changing any of these if you don't want to).

To modify the configuration settings for amavisd-new, open up the config file /etc/amavisd.conf . From there you can:

1) Tell amavisd what to do about sending return emails when you get a virus and/or spam (note: this has nothing to do with whether or not the virus/spam is saved in a quarentine).

By default, amavisd sends a bounce or a reject when it scans a spam or a virus. To change that behavior so that it does nothing (i.e. just drops the email w/o a reply to the sender), go to ~ line 380 in the file and change the $final_virus_destiny and $final_spam_destiny (and the other ones if you like) to D_DISCARD:

If you prefer to bounce virus emails back to the senders except when the virus is know to spoof the return address, there are more detailed configurations at ~ line 430 that allow you (at least in principle) to do this.

2) If you would like a notification sent to you or an admin when a virus (or spam) is detected, you can specify a default location at ~ line 450 in the conf file. In this example, I am sending all the notifications to virusalert@mydomain.com. In this case, I would either have to create a user named virusalert or specify an alias in /etc/aliases.

If you are like me and have tons of people sending you the latest viruses via email, you might want to set up a cron job in cron.daily or cron.weekly to delete the quarentined email on a regular basis.

4) If you want to use amavisd to filter out emails with suspicious file types as attachments, look at ~ line 660 and uncomment the following (and add your own types if you like):

Code:

qr'.\.(exe|vbs|pif|scr|bat|com)$'i, # banned extension - basic

3) Configuring ClamAV

Luckily, nothing really needs to be done to clamav, as amavisd just calls the command line scanner (so we don't need to start the daemon). We do, however, want to make sure that we are updating our virus definitions on a regular basis, so create a file in /etc/cron.daily (i called mine freshclam, but the name doesn't matter ...) with the following content:

Next, make sure the permissions are correct (it needs to be executable):

Code:

-rwxr-xr-x 1 root root 116 Feb 6 23:55 freshclam

FInally, as mentioned in the guide, make sure that fetchmail is passing the mail directly to postfix (via port 25) rather than procmal. Since i check mine via cron, I just changed my crontab to:

Code:

*/5 * * * * /usr/bin/fetchmail -K -s

(vary your options to taste, of course ... the important thing is to get rid of the '-m procmail ...' part of the line).

4) Testing and Automation

That's it for the config ... now all that's left is to start everything up! For the first try, you can start amavisd in debug mode:

Code:

# su - amavis
$ /usr/local/sbin/amavisd debug

In another window, reload postfix (/etc/init.d/postfix reload). If there are problems and you can't send/recieve mai (or the virus scanner isn't doing its job), you should be able to see it in the debugging output and the mail logs (mine are in /var/log/mail.log).

Once you know everything is working, go ahead and set amavisd to start with the system:

Code:

amavis # rc-update add amavisd default

Anyway, this seems to be a little longer than I thought it was going to be! Hope it heps anyone who wants to add virus scanning into their system.

Oh, one other tip, if you have SpamAssasin installed on your system, amavis is supposed to integrate with it almost seamlessly ... I don't have it installed so I don't know, so maybe someone who does could let me know if it works?

John

Last edited by john5211 on Sun Feb 08, 2004 7:13 am; edited 1 time in total

Well, I don't think my web browser was using a cached version, because I've reloaded the first page many times, and I don't think I ever visited this thread before version 2.0 anyway.

I've checked all my config files against the ones in the tutorial, and I can't see any discrepancies. Is it possible that SASL is just ignoring its configuration or something? I see 5 saslauthd -a shadow processes running, but it seems that when postfix tries to authenticate, it just tries to use sasldb2.

I've googled for solutions, but found none. I found a tutorial similar to your own, but it seemed to talk about saslauthd and sasldb solutions without distinguishing between the two, so that was no help. I searched the forums here and found several people having problem with saslauthd, both with the pam and shadow auth methods. However, the threads just end without a solution, so they are no help (One ends with "Hey, it magically fixed itself!", but that's not a very satisfying solution ).

One other thing I've noticed is that when I click on the "Check what the server supports" and when I turn off TLS momentarily and telnet to postfix, it lists many more options than just PLAIN and LOGIN for logging in. Here's the line:

Dollo and beowulf:
I encountered the same problem on authentication with postfix/sasl. I've followed the ver.2 guide in order for sasl to authenticate against shadow. However, sasl seems to ignore the setting and continue to authenticate against sasldb!

Note: Now for some reason, sasl will not play nicely with pam against the shadow file. I banged my head against this problem for, well, a long time. If anyone knows why sasl will not auth against the shadow file in its current gentoo incarnation, please email me as I'd love to hear a solution to this.

Quote:

As I said before, as it stands now AUTH will not work. that's because sasl will try to auth against it's sasldb, instead of the shadow file for some unknown reason, which we have not set up. So we're going to just plow through and set up mysql to hold all of our auth and virtual domain information.

beowulf, do you have any idea how to work around the problem? It'll be nice if I can get sasl works without using mysql.

if you just emerged clamav and f-prot *AND* you don't have any other virus scanner then comment out all virusa scanner in amavisd.conf leaving only two of them. I use clamav as a primary scanner and f-prot as a backup, but your milage may vary:

I havn't found a convinient way to run either clamav or f-prot as daemon, so I've decided: if it's broken just to install as a daemon then most likely it will also fail to work as a daemon.

But as a command-line scanner both clamav and f-prot work fine. All infected messages are quarantined.

I am so excited with clamav and f-prot that I am thinking if I could use them with squid or danguardian._________________"Lisp is a programmable programming language." - John Foderaro, CACM, September 1991

Must be a missing configure flag in the ebuild, or something, because the manpage for saslauthd doesn't mention that you can specify alternate config files (in which case you could just modify the init script, I guess).

Anyway, thanks so much for your help, and that goes for everyone who puzzled over my problems. _________________They don't have a good bathroom to do coke in.

woolong, dolio - Excellent, I'll make the addition to the guide after this post is submitted about /usr/lib/sasl2/smtpd.conf -- I happened to have it set, but didn't think it was getting read so went with /etc/sasl..... I'll list both just to be safe as I can't determine which file is being read... (better to be safe than sorry I guess....)

Thanks for the correction and I'll add it to the guide!

Unfortunately, I'm not sure what you mean by your own certs. Do you mean you wish to generate them yourself? Or that you have your own from a "trusted certificate authority" such as Verisign and Thawte? If it's the first (generate your own), I can post some steps if you'd like? Let me know....

MooktaKiNG -- Postfix doesn't need to recognize your ip, however, it might be prudent to add a line in /etc/hosts describing your computer at 192.168.1.2...

If you wish to disable SSL, I believe you can simply comment out the SSL stuff in /etc/postfix/main.cf...

---------

Version 2.1 added, it just contains the fix mentioned above, as well as a link to this page for the AV info... Nothing major...

Again, sorry for taking so long to reply...._________________I have nothing witty to say here... ever

Also it would be a great idea to integrate something like hothayd or gotmail to add hotmail compatibility.

Hothayd can also support other websites, like yaho etc.

I love the way the bogofilter has been setup. Fantastic idea. Now there's no need to look for server side plugins for squirrelmail, and now also any web client can be used _________________http://www.mooktakim.comAthlon XP 2001, Giga-Byte GA-7VRXP MB, 640Mb DDR RAM 333MHz, MSI Geforce 4800SE 128Mb DDR, 40x12x48 Liteon CDRW drive, Flower Cooler, ADSL Router

woolong, dolio - Excellent, I'll make the addition to the guide after this post is submitted about /usr/lib/sasl2/smtpd.conf -- I happened to have it set, but didn't think it was getting read so went with /etc/sasl..... I'll list both just to be safe as I can't determine which file is being read... (better to be safe than sorry I guess....)

beowulf - On my system /usr/lib/sasl2/smtpd.conf is a symlink to etc/sasl2/smtpd.conf

I'm getting the Thunderbird SMTP problem with TLS enabled.

Code:

Could not establish an encrypted connection because certificate presented by 192.168.1.100 is invalid or corrupted. Error Code: -8182

Setting "smtpd_tls_auth_only = no" and turning TLS off in Thunderbird lets me send okay (but my password is going out cleartext). I can send with TLS on in Outlook Express 5.0 and Outlook 2000. It looks like the certificates are bad, but Outlook Express uses them anyway.

MooktaKiNG -- I think I'll sign up for a hotmail account just to test out gotmail and add it to the guide... I don't have an account so never bothered investigating the matter.... But quite a number of people use it... so I guess it wouldn't hurt -- I don't think I'll be adding ldap or samba though... not for a very long time... I know nothing of ldap and I can't even get my printer working in samba... I haven't tried very hard since I only play games in Windows... It may go on a possible todo list, not sure yet... thanks for the suggestions.

PloreOSU -- Yeah, it used to be a symlink on my system before my HDD died and had to re-install. I think one of the newer ebuilds determines if the file/symlink exists and if not copies a file to both places... *shrugs* -- I believe Thunderbird won't allow you to connect when the SSL cert is not valid (not issued by a trusted source). If I get some time over the weekend I'll try testing it out and see why only Thunderbird is choking on the certs... Thanks for the confirmation._________________I have nothing witty to say here... ever

Unfortunately, I'm not sure what you mean by your own certs. Do you mean you wish to generate them yourself? Or that you have your own from a "trusted certificate authority" such as Verisign and Thawte? If it's the first (generate your own), I can post some steps if you'd like? Let me know....

What I meant was changing fields like countryName_default and stateOrProvinceName_default to what I want.

Since you've mentioned, I'm also interested in getting a cert from a "trusted certificate authority". I'm curious about how much it costs, which one the best provider, and the steps to get it done.

No need to be sorry. We are all grateful for what you've done for the guide!